What is the EscrowService keychain item?

Solution 1:

Well, Lakitu is the turtle that rides in a cloud and throws spiny bombs at the hero of the Super Mario Bros game.

However, I have no such key in any of the Macs which I have enabled iCloud keychain sync, so despite the extremely evocative name of com.apple.lakitu I'm not so sure it's part of the default setup unless it's a placeholder for someone that hasn't yet allowed any keychain items to be stored for syncing?

My only guess is that it holds a key until you establish your syncing or if you do not choose a security code and it stores a self generated code rather than using just your iCloud keychain pin to sync. If you haven't enabled an actual long form security code or added a second device that could be a reason why I'm not seeing this entry and you are.

Solution 2:

I just today found an article explaining the escrow service for iCloud Keychain.

If iCloud Keychain is configured to use 4-digit iCloud Security Code (which is a default) then there is additional iCloud service involved: "escrow proxy." In a nutshell, escrow proxy holds encryption keys to the keychain items shared via iCloud and provides those keys to properly authenticated clients.

The problem with this, according to the article, is that the 4-digit code is then used to encrypt the escrow key. The 4-digit code constitutes a very weak form of encryption which Apple (or an attacker gaining access to the encrypted data stored with Apple) could brute-force very quickly.

It's been a long time, and I don't entirely recall if I tried the 4-digit code. If I did, that would explain this.

It seems the best advice is to use the long password for iCloud Keychain or avoid it entirely.